Malware that steals certificates

By Luther Martin — October 1, 2010

Since September 20, there's a piece of malware (Infostealer.Nimkey) that's been out there that actually tries to steal digital certificates. In particular, one thing that Infostealer.Nimkey does is look for strings and files matching the pattern Cert_*.p12 and sends any that it finds to a server at IP address 116.255.149.86. According to the IP address locator at geobytes.com, this address is in Beijing, China.

I'd guess that hackers are trying to get code-signing certificates instead of certificates that users use for authentication, signing, or encryption. There have been lots of reports recently about signed walware, and this may just be hackers trying to get more certificates to let them sign even more malware. Any other kind of certificate probably isn't worth stealing. The certificates that the US Department of Defense uses, for example, are all on smart cards, so you can't just steal a PKCS#12 to get them.